Cryptowriter: Hardware Wallets - Tragic Flaws & Alternatives
Cryptowriter Branded Adobe Stock Image of a Bitcoin Thief.  All images in this article are licensed via Adobe Stock.

Cryptowriter: Hardware Wallets - Tragic Flaws & Alternatives

By Thomas Wolf | wickedthewolf | 12 Oct 2020


Any form of an advanced safe, digital or otherwise, is only as strong as the person holding the keys.  The best defense is a good offense, and the best offense is common sense.

“Common sense is not so common.” ~Voltaire

            Like many people, I’ve been intrigued by the concept of a sleek looking, highly functional, yet secure device to store and exchange my cryptocurrencies.  This desire naturally led me to research hardware wallets, the current gold standard in cryptocurrency asset security.  I have discovered hardware wallets can be cracked with relative ease for advanced technical experts using various techniques.  These techniques are dependent on each device’s hardware components and their configuration and thus are most likely an unnecessary expense for many crypto hobbyists. Hardware wallets are typically reserved more for enthusiasts who want bragging rights or those holding a massive amount of assets that require enhanced security features, such as whales – the biggest fish in the cryptocurrency markets.

HW Wallets Coins

            With the proper tweaking of settings, you can enhance your hardware wallets’ security and feel at ease with your coins and tokens.  An example is with Trezor brand models by opting into an additional passphrase beyond their 16-word security phrases, which can be brute-forced in a few minutes once the device’s chip has been glitched with low-level voltages from an external controller to reveal the wallets recovery security phrase.  Ledger Nano’s (both S and X) are susceptible to attacks from advanced technical experts, as well.  Other techniques will also be discussed in the video below.

            I am not aware of any hardware wallet that cannot be breached in these extreme circumstances. I have included a YouTube video which demonstrates and explains these techniques and how to help avoid them, featuring technical experts and cryptocurrency holders Dmitry Nedospasov, Thomas Roth, and Josh Datko via 35C3/wallet.fail - it is a highly impressive and informative resource, above all others that I found while researching hardware wallets.



            While this has not been done as of now, some experts say they could produce a retail product that cracks hardware wallets for as little as $75 USD.  That is not what you want to hear when you are happily holding large sums of currencies on a supposedly secure device after being told they cannot be cracked, and carry a hefty price tag for most people in the world.

            The statistical odds of this type of attack are improbable; however, with this knowledge being made public, it is only a matter of time before such a device to crack hardware wallets is available commercially.  It is likely they already exist on the dark web.  Over time this will make these attacks more prevalent and further challenge security experts to rectify the problems associated with new hardware vulnerabilities.

            Many cryptocurrency hobbyists are perfectly fine with using something as simple as a password-protected desktop wallet while running anti-virus programs to protect them from backdoors and malware, potentially stopping an attack from happening in most cases.  Plenty of people guard their properties with security systems, fire-proof safes, and firearms, giving some individuals a greater sense of protection beyond that of their system.  Others are perfectly content with biometric security on their smartphones alongside mobile wallets with two-factor authentication, though I don’t advocate that.  If you live a careful lifestyle - a clever hiding place could even be your ticket to financial safety.

            What if you could accomplish a comparable security level to a hardware wallet with a typical flash drive for less money?  A USB flash drive can take you in various directions, including encrypted cold storage (an offline storage environment) that is extremely difficult to decrypt for anyone but the wallet’s creator, assuming you use AES-256 bit encryption and an excellently unique and long passphrase.

            I suspect the NSA within the US government can decrypt AES-256-bit encryption available to citizens, but they are not announcing it to the world if they possess that capability.  It would not surprise me to learn that quantum computing is further along than we are being told and that this has been easy work for them for some time, especially after the Snowden revelations. TrueCrypt, Veracrypt’s predecessor met its demise in May 28th of 2014, when they discontinued software updates which is when their staff announced they would no longer be maintaining the project.  Since then, almost all users have made the switch to Veracrypt.

            Some users believe it was the result of a TrueCrypt volume being breached by the FBI within the US government in a timeframe that was too fast for a typical brute-force passphrase attack, which is indicative that they decrypted it through other means.  They could have used a backdoor, recovered the passphrase from the computers RAM, or even used a keylogger.  These ideas are all, of course, speculation and conjecture, and went as far as people suspecting he wrote the passphrase down in an easy to find location within his residence, which I definitely do not recommend.

            Veracrypt offers more protection to users from brute-force attacks. Still, suppose the government has that decryption capability. In that case, the only thing that should concern you is whether or not you are a high-profile target for them, because it would be a waste of resources for them to conduct this on a typical user.  The man in question was using TrueCrypt to hide classified government information and not to secure his personal finances, making him a high priority target.

            One could take flash drives even further and make a live USB with a pre-configured Linux distribution via VMWare or VirtualBox such as Tails OS or BlackArch Linux for advanced users.  Ubuntu & Linux Mint would be good distributions for those unfamiliar with Linux terminals with clean looking and intuitive user interfaces.

            Using this method, you can have all of your resources - including your wallets, browsers, and any other desired applications ready to boot with stacked layers of encryption. You can use a hidden volume via Veracrypt (or similar).  From there, you can have encrypted contents within the hidden volume in Veracrypt in 7Zip, which are both freeware and boast AES-256-bit encryption.  You could optionally put the hidden volume in a random passphrase-protected 7zip file with other contents.  Do not use the same passphrase for each layer of security, ever.  I’ve put hidden volumes inside hidden volumes before, as well – but I warn you not to forget the series of passphrases you have set in place, or you will lose access to your wallet.  I recommend keeping your passphrases backed up in AES-256-bit encryption in multiple locations.

            You may be thinking, can’t encrypted flash drives and 7Zip be brute-forced?  Yes, they can.  But, not if you use a meticulous and lengthy passphrase, and even if they were to bypass one layer of encryption, they would need to brute-force subsequent ones and still manage to get access to your device for two-factor authentication.  For this reason, it is not a concern when properly configured as it could take many years for a talented cracker to crack a single AES-256-bit passphrase.

            Of course, these methods are far from the only ones and far from the only encryption software available.  Another good alternative featured in the hit show Mr Robot was the use of DeepSound – a freeware steganography software tool capable of hiding data in audio files such as MP3 and FLAC.  These encrypted audio files can be put on a CD or mixed in with other digital media on your hard drive and still play audio files exactly as normal, hiding your data in plain sight with the same AES-256-bit encryption.

            As my mother used to say, “Never keep all your eggs in one basket” – a proverb I applied to cryptocurrencies by using a variety of techniques to secure multiple wallets.   When operating this way, if one is compromised, you do not lose all of your assets.  Also, the attacker would likely think they found the entirety of your finances, when in fact, it would likely be an intended decoy with just enough funds on it to make them think it is a primary wallet.

            I cannot emphasize the importance of multiple layers of protection enough regardless of what device, encryption types, or alternative techniques you use to protect your personal information, especially your finances and other personal information.  You should have three security layers at minimum, including 2-Factor Authentication, AES-256-bit encryption, and another technique of your choice. It’s often been said among intermediate to advanced users that the best anti-virus is common sense.  However, to be on the safe side, I’d advocate everyone uses some form of anti-virus software that is kept up to date, especially those new to cryptocurrencies or computer security.

Keyboard Wallet Lock

            Your first line of defense should always be common sense.  Your last line of defense should be your life, but that is highly dependent on the importance of the contents; you cannot spend your crypto if you are dead.  However, I could see why an individual would take a bullet to protect massive amounts of financial assets for their family.  So long as there existed multiple copies of the wallets public and private keys, their family could later access and withdraw the funds, as is the case with Ledger backup packs that come at a discount when you buy the models S and X in a pair.  Fortunately, this is not currently a common issue, but one must be prepared for anything if that is the case.

            The layers of protection are not only what type of encryption you use, but the lifestyle you lead.  I, for example, pair my encryption knowledge with added home security.  I believe you are far more likely to become compromised by those you know or converse with, whether they are associates, friends, relatives, strangers, or even a significant other – or people that know those people and find out you have assets to protect.

Image by author

            Given enough money, time, and resources, just about anything can be breached by well-educated and talented individual/s that are so inclined.  However, I am here to heed you to another form of caution: Social engineering.

            I believe the best protection one can have alongside things already mentioned is anonymity.  By remaining as anonymous as possible, you remain challenging to identify, let alone track, monitor, or potentially fall victim to an attack.  In the age of decentralized currencies and exchanges, this is only getting easier and, in many cases, more profitable.

            My research concludes that no asset is genuinely secure once you’ve been identified, tracked, and found with your wallet by advanced techs with nothing to impede their desire for financial gain, especially if they are violent.  You may have to resort to using lethal force in a situation that extreme depending on the laws of your jurisdiction regarding home and work invasions and self-defense; you can’t spend your crypto from prison either.   By following common-sense guidelines, you can be reasonably sure it will never go that far; the radical individuals and groups that would attempt this cannot attempt it if they don’t have a way to find you or your wallet/s.

            I had intended to purchase a Ledger Nano X for this article in the hopes of doing a cross-comparison.  However, I won’t waste my money as I’ve discovered hardware wallets are just as susceptible to attacks as the wallets I’ve already configured.  I could even argue that by using my technique/s, along with others not mentioned, your assets will be even safer than they would be for a person who flexes their hardware wallet.  Properly configured or not – that will most definitely attract the wrong kind of attention.

            I hope this article has served as an informational way to figure out how to protect your cryptocurrencies best.  There is no one size fits all method for crypto-asset security.  You have to decide for yourself how much security you need based on your unique circumstances.

Questions and comments are always welcome, as are debates!

As always, stay smart & stay safe.

-Thomas Wolf


Follow me

Twitter: @WickedTheWolf
Voice: @ThomasWolf

Follow Our Communities

Twitter: @cryptowriter_
Instagram: cryptowriter_official

Cryptowriter Footer

This article was originally published on Voice.com


Mynewbanner
My article on grinding to Rank 71 on Cointiply with earning techniques!

Honeygain - #1 Passive earner & My article on HoneyGain Legitimacy

Coinpot.co's Seven Faucets:
BonusBitcoin
BitFun
MoonDoge
MoonDash
MoonBitcoin
MoonBitcoinCash
MoonLitecoin

FaucetPay &  My Top Picks of their Legitimate Linked Faucets:
FaucetPay - The #1 Microwallet Platform
ADBTC - The #1 FaucetPay faucet, check out their Ad Surfing!
DogeFaucet - 1/4 a Dogecoin every 60 minutes
xFaucet - BTC, ETH, LTC, Doge, Dash, Tron, DGB, BCH - Claim every 5 minutes

FireFaucet - I use their offerwall's paid You-Tube extension to boost levels
FaucetCrypto - An earning/faucet site that pays out small amounts right away
Konstantinova - BTC, ETH, LTC, Doge, Dash, Tron, DGB, BCH - 25 Claims Daily

Others:
Mellowads - Use faucet claims to create free ad campaigns for referrals
TipNano - A mobile earning & faucet App that pays instantly in Nano
Coinbase Earn - Compound, EOS, XLM

My Crypto Exchanges & Brokerage App:
Coinbase - Receive $10 in Bitcoin when you buy or sell $100 or more.
Binance - One of the world's most popular exchanges.

Robinhood - Free stock worth up to $200 when you sign up and deposit $100.

ChangeNOW - Anonymous, secure, fast, lowest-fee crypto exchanges!

I highly recommend you use Trust Wallet for all Publish0x withdrawals!

Brave Browser
- If you don't already have it, you're living under a rock.


Thomas Wolf
Thomas Wolf

I am a cryptocurrency advocate, a STEM undergraduate student, a nature enthusiast, a survivalist, a DIY specialist, and I'm a little crazy at times.


wickedthewolf
wickedthewolf

Thomas Wolf's den.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.